Configuring Windows Authentication with Apache 2.2.x and Subversion
I've been working on our development server at work to try to help streamline some process. This included upgrade Subversion and Apache to the latest versions and installing Trac (so we can better track software issues.)
In order to really simplify being able to give developers and contractors access to the appropriate areas, I wanted to try and simplify the process by configuring Apache to use Windows Authentication. This allows us to control who has access to what, just by making them members of the appropriate groups.
Since I'm new to Apache, this whole process has taken longer than what I wanted—but I certainly learned a lot in the process.
Getting Windows Authentication configured in Apache wasn't too difficult. I decided to use mod-auth-sspi module since it seems to be the most popular one. When you go to download the module, you'll see file names that start with "mod_auth_sspi-1.0.4-". You'll want to download the file that ends in a version number matching your Apache install. I'm using Apache v2.2.4, so I downloaded the mod_auth_sspi-1.0.4-2.2.2.zip version. (NOTE: The main thing that's important is that you use the 2.0.x module for Apache v2.0.x and the 2.2.x module for Apache v2.2.x. The versions don't need to be identical.)
The mod_auth_sspi-1.0.4 zip file will contain /doc/ folder that has an INSTALL text file that tells you how to configure things. You'll want to copy the /bin/sspipkgs.exe to the /bin folder on your Apache install and the /bin/mod_auth_sspi.so to the /modules folder.
The installation tells you to load the mod_auth_sspi.so last. However, this is will not work if you plan on using SSPI with SVN. I believe technically you just need to load the module after the Apache mod_authn_alias.
In order to get the SSPI working with SVN, you need to load the mod_auth_sspi.so before you load the subversion modules. The order should look like:
# Windows Authentication module LoadModule sspi_auth_module modules/mod_auth_sspi.so # Subversion modules LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so
NOTE:Your Subversion installation also comes with copies of the mod_dav_svn.so and mod_authz_svn.so modules. I had no problems using the ones that shipped with Apache v2.2.4. However, if you are having problems try using the versions that are in the Subversion install folder. I'd recommend pointing right to that folder, so as you update Subversion the modules will be updated too.
I can't stress how important the order above is. I spent about 4-5 hours this afternoon troubleshooting things and it all came down to the order of the LoadModule commands. I was getting all sorts of "Authorization failed" and "RA layer request failed" error messages until I got the load order right.
<Location /svnpath> # configure SVN DAV svn SVNListParentPath on # any "/svn/foo" URL will map to a repository /usr/local/svn/foo SVNParentPath c:/Repository/Path AuthName "Subversion Authentication" AuthType SSPI SSPIAuth On SSPIAuthoritative On # set the domain to authorize against SSPIDomain DOMAIN SSPIOmitDomain On # keep domain name in userid string SSPIOfferBasic On # let non-IE clients authenticate SSPIBasicPreferred Off # should basic authentication have higher priority SSPIUsernameCase lower # require the SVN Users group Require group "DOMAIN\Subversion Users" </Location>
NOTE:The words in red you'll want to configure to match your server's configuration. I believe the SSPIUsernameCase option is required, since the several of the Apache modules are case sensitive. By keeping everything lowercase it should help prevent problems when you're configuring things.
In the configuration above, anyone who is in the "Subversion Users" users group will have access to the location specified. For our purposes, you either have full access to the SVN or none at all. If you need to specify more granular control, you can use the AuthzSVNAccessFile command to specify a Subversion access file. This will allow you to control what permissions each user actually has. For information on using an access file, see Michael Flanakin's Windows Authentication with Subversion on Windows post.
It was actually Michael's post that got me straightened out about the order of the LoadModules.
Now that I have everything configured, I can now log in to Trac and Subversion (using TortoiseSVN or Subclipse) all using the same login credentials. Not only does this make it easier to Administrate in the long run, it makes it easier for our developers as well.
Now I just need to finish configuring Trac and get Mylin up and running!
17407 Views
Send
Print
Comments (27)
Comments
@Reinaldo:What kind of problems are you having?
I'm not an Apache-guru by any means, but maybe the quotes around your directory paths are causing a problem. Also, the path to your AuthzSVNAccessFile has double forward slashes in the path.
@Reinaldo:Also make sure that you've got the correct DOMAIN and GROUP's configured.
Does anyone know how the SSPIDomain Domain piece works? I did not specify my domain, but users in 3 different domains can authenticate just fine without any problems. I'd like to know if it picks up the domain name from the local machine that is authenticating.
@David:My guess is if you're not using Active Directory or a Domain controller, not specifying the SSPIDomain will go from the local. I have an AD server in my configuration and couldn't get it to work without specifically specifying the SSPIDomain.
Looks like if you do not specify a domain. If you are using AD it will traverse from the local machines trusted Domains list in order to authenticate a user. I now have this working for 3 different domains. Thanks for the writeup
Hi, I just wanted to check if its possible to do Windows Authentication without using Apache.Thanks
@Vishal:Since I've never used the built-in SVN server, I can't say for sure but I would you can't use Windows Authentication with svnserve (since the core of SVN is built to be OS agnostic.) When you run SVN via Apache, Apache is actually responsible for the authentication (not SVN) and since you can configure Apache for Windows Authentication, you can also authenticate your SVN repositories against your Windows user base.
I managed to configure stuff with Apache and Logins are now using Windows AD. But i have run into this strange problem now. I am unable to commit large files (files >100MB) to my svnserver. i get the below error - [Thu Jun 05 15:26:27 2008] [error] [client 10.10.8.163] (OS 87)The parameter is incorrect. : authentication failure for "/svn/vsharma/!svn/act/da4e41cf-788d-b14e-9258-0056d50729e9": user unknown, reason: cannot generate context
However, smaller file commits work just fine. Any pointers?
Thanks,
(i am not sure if this is the right place to ask this question. Apologies in advance, if its not. Thanks again.)
Error Screen Cap is here[URL=http://img408.imageshack.us/my.php?image=svnerrorv...][IMG]http://img408.imageshack.us/img408/6926/svnerrorvm...[/IMG][/URL]
@Vishal:I'd recommend you post your question to the SVN mailing list. I wonder if your exceeding the http post limit of your Apache install or if there's a problem with your configuration. I don't think I've ever tried committing a single file that was over 100MB in size. I certainly have repositories that are much larger than that, but I'm not sure any one single file has ever exceeded 100MBs.
I would like to configure this for a standalone Windows XP and Apache 2.2.8 install. Does this mod allow Authentication against local Windows accounts? If so, has anyone gotten it to work succesfully. If so, can you provide the httpd.conf, specifically the "Load Module" lines and the "Directory" lines.
So far, I have only gotten when following message when I type the credentials of a local Windows account:
Authorization Required
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.
I know that I am not mistyping the credentials, so I am posting here for more input.
Thanks.
@Terrence:I've not tried getting Windows Authentication working under Windows XP--so I'm not sure. However, that's what I'd dig around with specifically. See if you can find anyone who's gotten Apache to authenticate against some local Windows XP accounts.
It might be as simple as getting the DOMAIN option right (I might even try leaving that blank for local accounts.)
Hi all..I'm trying to set it up so users can log on with Domain autentication or file, but can't get it to work... for some reason only the domain autentication works but not the file's... but if I comment all the SSPI part, it do work, so im kind of lost here... any idea??
here is my code:
LoadModule sspi_auth_module modules/mod_auth_sspi.so
LoadModule dav_module modules/mod_dav.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authz_svn_module modules/mod_authz_svn.so
<Location /svn>
DAV svn
SVNListParentPath on
SVNParentPath D:/SVN/Repository/
AuthName "SVN Repository"
AuthzSVNAccessFile conf/svnaccess.conf
AuthType SSPI
SSPIAuth On
SSPIAuthoritative Off
SSPIDomain NETDOM
SSPIOfferBasic On
##########################
AuthType Basic
AuthBasicAuthoritative Off
AuthUserFile conf/svnusers.conf
Require valid-user
</Location>
By the way, this is Apache 2.2.8
Thanks guys
@JV:I'm pretty sure you can only use one authorization method. So, you're either going to be using SVN or a conf file.
What you could probably do is set up different "Location" directives--one for Windows Authentication and one for local authentication. That means the paths would be different, but that should allow you to use 2 different authentication schemes for the same physical directory.
Thanks for the quick answer...on this webpage (http://tortoisesvn.net/docs/release/TortoiseSVN_en...), under the title Multiple Authentication Sources, they say it's possible, but the thing is they are using the module mod_auth.so which is vailable only in versions prior to 2.1 and don't work in 2.2.x
thats why i'm using mod_auth_basic.so instead, but can't make it work
This works for me:#NT Domain Login
SVNPathAuthz off
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain <Domaincontroller>
SSPIOfferBasic On
#Htpasswd Logins
AuthType Basic
AuthBasicAuthoritative Off
AuthUserFile passwd
Require valid-user
Hi, I am getting the below error while trying to restart the apache.
Can't laod D:\Apache Group\Apache2\modules\mod_auth_sspi.so into server; the specified module couldn't be found. But i have already i copied required module (version:mod_auth_sspi-1.0.4-2.2.2)into D:\Apache Group\Apache2\modules.
here is my code.
LoadModule dav_module modules/mod_dav.so
LoadModule sspi_auth_module modules/mod_auth_sspi.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
Apache version : 2.0
please help me out.
Thanks,
Ulli.
@Ulli:I suggest you go to an Apache forum and pose your question there.
Hello I have implemented the "mod_auth_sspi" module according to suggested by you. Now my windows authentication is working fine. when i open my application then it first ask me the username and password. And if i provide the username and password then it allows me to log in.
But i want my application automatically fetch the username and password if the user is already logged in to his/her machine and return the username for the further work.
Any help would be greatly appriciated
Thanks
@Gaurav,In order to do something like that, you'd need to write either a custom browser or create a browser plug-in that your users would need to install. Browsers don't have knowledge of your Windows authentication status, nor should they.
Not able to enable basic authentication on apache 2.2.9 in Redhat Linux. I am trying to use custom module in apache. Whenever I am send a request, apache does not ask for user name and pasword. While same thing works perfectly fine with apache 1.3.41.I am following the steps as under.
./configure --enable-ssl --enable-auth-digest --enable-mods-shared=rewrite --enable-auth-basic
make, make install.
Till this point it is successful.
I am putting following in httpd.conf.
<Location /wsman>
SetHandler wsman-handler
AuthType Basic
AuthNameOPENWSMNA
AuthUserFile /etc/openwsman/simple_auth.passwd
Require valid-user
Order allow,deny
Allow from all
</Location>
Same setting works perfectly fine with apache 1.3. Can anybody point out where I am making mistake.
@Manoj:Make sure you're using a module compiled for your version of Apache. Modules have to be compiled for the version of Apache you're using.
Thanks Switzer for response.Where from I have to compile the module. In ./configure I have alreday mentioned to activate basic auth. Where from I will get mod_auth_basic?
I am not even able to trigeer basic authentication with apache 2.2.9.
I feel it should be some configuration option.
My custom module I have already build successfully and working fine.
-Manoj
@Manoj:I'd really recommend asking your questions on an Apache mailing list or forum.
good
My config is:
#SSPI Modules
LoadModule sspi_auth_module bin/mod_auth_sspi.so
#SVN Modules
LoadModule dav_svn_module bin/mod_dav_svn.so
LoadModule authz_svn_module bin/mod_authz_svn.so
<Location /svn/>
DAV svn
# path
SVNListParentPath on
SVNParentPath "C:/work/SVN_REPOS/"
SVNIndexXSLT "/svnindex.xsl"
SVNPathAuthz on
# authentication
AuthName "Subversion Authentication"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain DOMAIN
SSPIOmitDomain On # keep domain name in userid string
SSPIOfferBasic On # let non-IE clients authenticate
SSPIBasicPreferred Off # should basic authentication have higher priority
SSPIUsernameCase lower
#Require valid-user
Require group DOMAIN\GROUP
# authorization
AuthzSVNAccessFile "C:/work/SVN_REPOS//authz"
</Location>
But it not work fine :-(
Can you helpe-me?
Tks,
Reinaldo.